Use the links below to download Apache UIMA from
one of our mirrors. It is good practice to
verify the integrity
of the distribution files, using the signatures and checksums listed below in square brackets as asc, md5, or sha1.

Only current recommended releases are available on the main
distribution site and its mirrors. Older releases are available from
the archive download
site.

Apache UIMA is distributed as source and binary (ready-to-use) packages.
These are available in
zip, tar.gz and sometimes,
tar.bz2 archive formats. Please
note that the tar.* archives contain file names longer
than 100 characters and have been created using GNU tar extensions.
Thus they must be untarred with a GNU compatible version of
tar.

You can install current releases of the UIMA Eclipse tooling via our Eclipse update site.
There are two update sites: one is for versions of plugins for UIMA version 2, the other is for version 3 plugins.

If you're using Maven to build your projects, you can use the UIMA Maven artifacts that are
deployed to the Maven central repository.
See some of the Addons POMs for
examples on how to reference the UIMA jars in Maven.

You are currently using http://mirrors.ocf.berkeley.edu/apache/. If you encounter a
problem with this mirror, please select another mirror. If all
mirrors are failing, there are backup mirrors (at the end of
the mirrors list) that should be available.

UIMA V3 is a re-implementation of the core Java version. It represents Feature Structures as Java Objects,
allowing them to be Garbage Collected, for example. It depends on and exploits many Java 8 features.

The JCas implementation changed, and JCas classes (if used) will need to be migrated. The V3 users guide describes
a migration tool to aid in this process.

There are many new features, described in
this overview. For more details, please see the documentation for version 3, which can be found
here.
Changes since the beta version are listed in the
Release Notes.

You may be wondering what those .asc, .md5 and .sha1 files
on the download pages are good for. They are signature files that let you verify the integrity
and origin of the distribution artifacts (zip files, compressed archives) that you have downloaded.
The signatures come in two varieties. The .md5 and .sha1 files contain
MD5 and SHA1 checksums, respectively. The main purpose of those files is to let you verify the
integrity of your release artifact. You can use a tool to generate the same kind of checksum and
check that it's the same checksum as the one you downloaded. If the checksums agree, you can be sure
that your archive did not get corrupted during transmission.

The .asc files are so-called detached, ASCII-armored PGP signatures. They let you do
the same thing as the MD5 and SHA1 signatures, but they let you do something in addition: you can
use these signatures to verify that the release artifacts were signed by a certain, trusted source.
The .asc files contain checksums that were encrypted with the private PGP key of the
release manager responsible for the release. This is useful if you received the release files from
some arbitrary source, and you would like to be sure that what you have there is really a UIMA
release (and not something containing a virus, for example). You can then download the corresponding
public key from a trusted source, and use it to verify not only the integrity of the file, but that
it is actually the file the release manager signed in the first place. Anybody can tamper with
a released file and create a new checksum, but they can't fake the .asc file so it
will work with the public key of the release manager.

If you would like to verify your UIMA distribution or not is up to you, but unless you do it, you cannot
be sure that you have an uncorrupted copy. The next section will
tell you how can use each type of signature file.

Start by downloading and installing GnuPG, an
implementation of OpenPGP. There are many tools for verifying
MD5 and SHA1 checksums, here's the GnuPG way for MD5:

gpg --print-md MD5 <ReleaseFile>

and for SHA1:

gpg --print-md SHA1 <ReleaseFile>

You can simply compare the resulting checksum to the one contained in the <ReleaseFile>.md5
or <ReleaseFile>.sha1 checksum file. Use diff or your eyes, the signatures are short.

A better way of verifying a distribution file is to use the PGP signature provided in the
.asc files. To be able to use the PGP signature files, you need to obtain the UIMA
developers' public keys from a trusted source. The keys do come with the distribution as well,
but obviously using those is not a good way to ascertain the pedigree of a distribution. Instead,
get the keys from the main Apache distribution site (not a mirror), or
directly out of the UIMA SVN repository.

To verify an MD5 checksum, after downloading an artificat, use a command to generate the md5 checksum of the downloaded artifact.
On Linux or using Cygwin on Windows, this can be done using the command "md5sum" followed by the path to the artifact. There are also
programs you can download from the web to do this computation.

Once you have the sum, go to this page at Apache: https://people.apache.org/~henkp/cgi-bin/md5.cgi
and copy / paste the generated checksum into the box. The script on this page will then look up that
checksum in a table it keeps for all artifacts from Apache distributions, and verify the checksum is valid.